CN107508827A - A kind of message parsing method and device - Google Patents

A kind of message parsing method and device Download PDF

Info

Publication number
CN107508827A
CN107508827A CN201710833249.4A CN201710833249A CN107508827A CN 107508827 A CN107508827 A CN 107508827A CN 201710833249 A CN201710833249 A CN 201710833249A CN 107508827 A CN107508827 A CN 107508827A
Authority
CN
China
Prior art keywords
message
key
address
type
real
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710833249.4A
Other languages
Chinese (zh)
Other versions
CN107508827B (en
Inventor
郑展伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Byzoro Network Ltd
Tongding Interconnection Information Co Ltd
Original Assignee
Byzoro Network Ltd
Tongding Interconnection Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Byzoro Network Ltd, Tongding Interconnection Information Co Ltd filed Critical Byzoro Network Ltd
Priority to CN201710833249.4A priority Critical patent/CN107508827B/en
Publication of CN107508827A publication Critical patent/CN107508827A/en
Application granted granted Critical
Publication of CN107508827B publication Critical patent/CN107508827B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention, which provides a kind of message parsing method and device, wherein methods described, includes step:Receive message and set up into key message Key;Preset behavioural analysis table is inquired about according to the key message Key of the establishment;Judge whether received message is special type message;When special type message, then it is real-time type message or big flow message to judge the special type message;When for real-time type message, then priority scheduling processor handles this message in real time, and then message is sent to destination interface;When for big flow message, then carrying out burst processing, sent after the completion of processing to destination interface.The present invention can carry out priority treatment for real-time type message, for big flow type message, take burst to handle, realize homologous chummage;In addition, the Network analyzing equipment of the present invention can avoid repeating a series of profound packet parsings when identical message receives again, the burden for aggravating analytical equipment is avoided, so as to save the cpu resource of Network analyzing equipment.

Description

A kind of message parsing method and device
Technical field
The present invention relates to service message analytic technique field, and in particular to a kind of message parsing method and device.
Background technology
In the message processing method of existing Network analyzing equipment, burst information handling process is normally comprised, wherein main The handling process wanted includes the processing of preset burst information table, and the burst information mark in burst information table is sought pair The specific processor numbering answered.If big flow message then carries out burst processing, the key message of message is extracted to preset Burst information table is searched, to ensure the final homologous chummage of message.For example, number of patent application is 201210049845.0, it is entitled《Message diversion method, device, processor and the network equipment》Chinese invention patent, Message processing method as described above is which described, referring to Fig. 1, in the patent of invention, burst information processing step includes: Step 101, equipment receives the key message of message and analytic message, including:Outer layer IP, internal layer IP and the message mark; Step 102, burst information of the equipment in heading judges whether the message is fragment message;Step 103, if above-mentioned report Text is fragment message, is searched in the burst information table to prestore and above-mentioned fragment message outer layer IP address and fragment message mark pair The processor numbering answered;Step 104, when finding outer layer IP and message with above-mentioned fragment message in above-mentioned burst information table Corresponding to the mark of burst during processor numbering, above-mentioned fragment message is issued into corresponding processor, according to burst information table pair The message of reception carries out burst processing, so as to ensure that successive fragment message is forwarded in same processor, ensures homologous chummage.
Burst information processing scheme disclosed in foregoing invention patent, when carrying out burst processing to the message of reception, pass through One preset burst information table, find specific processor unit and carry out Message processing, ensure the uniform burst of big flow message Handle and into same processing unit, ensure that homologous chummage can be realized.However, many messages are not accounted in the above method Belong to real-time type message and need the situation of timely processing, also do not account for, how to update burst information, to make newly occur Overlength message can also use burst processing method.
The content of the invention
It is an object of the present invention to for drawbacks described above present in existing message processing method, there is provided a kind of new report Literary parsing scheme, the program are capable of the priority treatment of the real-time type message of quick response high priority, and can also upgrade in time overlength The burst information of message, improve the process performance of Network analyzing equipment.To achieve the above object, technical scheme For:
According to an aspect of the invention, there is provided a kind of message parsing method, including step:
Receive message, and obtain the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose IP address with And protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version group Build up key message Key;
Preset behavioural analysis table is inquired about according to the key message Key of the establishment, the behavioural analysis table is a kind of note The key message Key and its corresponding type of message mark flag and the Hash tables of Message processing action of message are recorded;
Judge whether received message is special type message, and the special type message refers to institute according to the Query Result State the message that the key message Key of establishment can be queried in the behavioural analysis table;
When the message received is special type message, then determine whether the special type message be real-time type message or Big flow message, the big flow message are the non real-time type message of big data flow;
When the special type message is real-time type message, then according to dispatching algorithm, priority scheduling processor handles this in real time Message, and send message to destination interface after the completion of processor processing;
When the special type message is big flow message, then burst processing is carried out to the big flow message, and by burst Information and the processor label record dispatched out are into burst information table, according to the processor of the corresponding label of burst information list scheduling Burst information is handled, sent after the completion of processing to destination interface.
Preferably, it is described to judge that the special type message is that the specific method of real-time type message or big flow message is: Type of message mark flag corresponding to the key message Key for judging to be inquired in behavior analytical table is 0 or 1, if 0, then it represents that the special type message is real-time type message, if 1, then it represents that the special type message is big flow message.
Preferably, when the message of the reception is no special type message, the key message Key for being the establishment can not be The plain edition message being queried in the behavioural analysis table, then carry out common message and perform flow, and handled in processor Message is sent to destination interface after, the common message performs the hardware that flow refers to design using processor architectural framework Multinuclear concurrent scheduling mechanism carrys out automatic dispatch processor processing message.
Preferably, the common message, which performs flow, includes:
Whether the message for judging the reception is real-time type message or big flow type message;
If real-time type message, then obtain its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and Protocol version, above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up 0 is labeled as into key message Key, and by type of message mark flag, then by the key message Key of the establishment and its correspondingly Type of message mark flag be added to as newly-increased list item in the behavioural analysis table;
If big flow type message, then obtain its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address with And protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version group Build up key message Key, and type of message mark flag is labeled as 1, then by the key message Key of the establishment and its right The type of message mark flag answered is added in the behavioural analysis table as newly-increased list item.
According to another aspect of the present invention, there is provided a kind of packet parsing device, including:
Receiving module, for receiving message, and obtain the source MAC of the message, target MAC (Media Access Control) address, source IP address, Purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and Protocol version is set up into key message Key;
Enquiry module, for inquiring about preset behavioural analysis table, the behavior point according to the key message Key of the establishment Analysis table is that a kind of key message Key that have recorded message and its corresponding type of message mark flag and Message processing act Hash tables;
First judge module, for judging whether received message is special type message according to the Query Result, institute State special type message and refer to the message that the key message Key of the establishment can be queried in the behavioural analysis table;
Second judge module, it is special type message for working as received message, then determines whether the special type report Text is real-time type message or big flow datagram-style text, and the big flow message is the non real-time type message of big data flow;
First processing module, for being real-time type message when the special type message, then according to dispatching algorithm, priority scheduling Processor handles this message in real time, and sends message to destination interface after the completion of processor processing;
Second processing module, for being big flow message when the special type message, then the big flow message is carried out Burst processing, and burst information and the processor label record dispatched out are adjusted into burst information table according to burst information table The processor for spending corresponding label is handled burst information, is sent after the completion of processing to destination interface.
Preferably, second judge module, it is special type message to be further used for working as received message, judges to be expert at It is 0 or 1 by the type of message mark flag corresponding to the key message Key that is inquired in analytical table.
Preferably, when the message of the reception is no special type message, the key message Key for being the establishment can not be The plain edition message being queried in the behavioural analysis table, then the resolver also include:
3rd processing module, flow is performed for carrying out plain edition message, and send out message after the completion of processor processing Destination interface is delivered to, the common message performs the hardware multinuclear concurrent scheduling that flow refers to design using processor architectural framework Mechanism carrys out automatic dispatch processor processing message.
Preferably, the 3rd processing module further comprises:
3rd judge module, for judging whether the message of the reception is real-time type message or big flow message;
First list item creation module, for when the message received is real-time type message, then obtain its source MAC, Target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 0, Then the table corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table ;
Second list item creation module, it is big flow message for working as received message, then obtains its source MAC, mesh MAC Address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP Address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 1, so The table corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table afterwards .
Present invention advantage specific as follows and beneficial effect:
First, the present invention is provided with the dynamic adding procedure of behavioural analysis table, i.e., according to the message Key of parsing and message history row Corresponding list item is added into the behavioural analysis table for analysis result, and is stored in using Hash algorithm, hash in internal memory, can Realize high-speed searching and message efficient parsing.
2nd, the present invention can carry out priority treatment for real-time type message, i.e., mainly use chip multinuclear engine Parallel Scheduling Algorithm, by software algorithm realize dispatch, so as to ensure that the priority treatment of real-time type message.
3rd, the present invention takes burst to handle, while ensure that the message for belonging to same stream is final for big flow type message Handled by same processor, realize homologous chummage, ensure that the correct processing of data message.
4th, Network analyzing equipment of the invention can avoid repeating a series of profound levels when identical message receives again Packet parsing, avoid aggravate analytical equipment burden, so as to save the cpu resource of Network analyzing equipment.
5th, the present invention carries out classification processing to message, can quickly and accurately handle message, improve network analysis and set Standby process performance.
Brief description of the drawings
It is in order to illustrate the technical solution of the embodiments of the present invention more clearly, attached required in being described below to embodiment Figure does simple introduction, it should be apparent that, drawings discussed below is only some embodiments of the present invention, general for this area For logical technical staff, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of packet parsing in the prior art;
Fig. 2 is the flow chart of the first embodiment of message parsing method of the present invention;
Fig. 3 is the flow chart of second of embodiment of message parsing method of the present invention;
Fig. 4 is the structured flowchart of the first embodiment of packet parsing device of the present invention;
Fig. 5 is the structured flowchart of second of embodiment of packet parsing device of the present invention.
Embodiment
The embodiment of the embodiment of the present invention is elaborated with reference to Figure of description.
Fig. 2 is the flow chart of the first embodiment of message parsing method of the present invention, as shown in Fig. 2 the packet parsing side Method includes:
Step 201, message is received, and obtains the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement Version number is set up into key message Key.
In the present invention, source MAC refers to the source device physical address of message in above-mentioned steps;Target MAC (Media Access Control) address is Refer to the purpose equipment physical address that message is sent to;Source IP address refers to the IP address of the source device of message;Purpose IP address Refer to the IP address for being sent to purpose equipment;Protocol version, refers to the protocol type of the 4th layer protocol of message, described 4th layer Protocol type just like TCP, UDP, SPX etc..
Step 202, preset behavioural analysis table, the behavioural analysis table are inquired about according to the key message Key of the establishment It is a kind of key message Key that have recorded message and its corresponding type of message mark flag and the Hash of Message processing action Table.
The behavioural analysis table is one by source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and association The Key of the key messages such as version number composition and its corresponding Message processing mechanism are discussed, i.e. type of message is marked at flag and message The Hash tables of reason action composition, the Message processing action include, such as:Immediately treat, abandon, stop.
Step 203, judge whether received message is special type message according to the Query Result, the special type report Text refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table.
When the key information Key set up can be queried in the behavioural analysis table, that is, the key message Key set up exists In the presence of in Hash tables, that is, it is special type message to show received message, can be matched in the Hash tables and receive report The type of message mark of text and specific processing action.
Step 204, when the message received is special type message, then determine whether that the special type message is real-time type Message or big flow type message, the big flow message are the non real-time type message of big data flow.
In the present invention, the real-time type message is such as can be live, video flowing, i.e., the message that is matched in Hash tables Type flag is 0, and the big flow type message can be big text, picture, non-instant video file etc., i.e., in Hash tables The type of message flag matched is 1.
In above-mentioned steps, the message that the reception is gone out according to behavioural analysis voting plan belongs to special type message, is then directed to Further analysis belongs to real-time type message or big flow type message to the special type message, wherein, above-mentioned further analysis The type of message marker bit flag being to rely in the result field in behavioural analysis table, if the type of message marker bit Flag value is 0, then is real-time type message, if the value of the type of message marker bit flag is 1, for big flow message.
Step 205, it is when the special type message is real-time type message, then real according to dispatching algorithm, priority scheduling processor When handle this message, and message is sent to destination interface after the completion of processor processing.
Dispatching algorithm, it is the hardware multinuclear concurrent scheduling mechanism designed according to processor architectural framework, i.e., in above-mentioned steps Distributed by the hardware scheduling engine of multinuclear multiprocessing, when there is the higher message of priority ratio, polycaryon processor scheduling engine can Processor where interrupting one of task is switched in current task, handles the i.e. preferential tune of the high message of this priority level Processing Algorithm is spent, this message is handled in real time so as to realize.
Step 206, when the special type message is big flow message, then burst processing is carried out to the big flow message, And by burst information and the processor label record dispatched out into burst information table, according to the corresponding label of burst information list scheduling Processor burst information is handled, sent after the completion of processing to destination interface.
If the such as big text of big flow message, picture etc., then carry out burst processing, and record burst information and The processor unit label dispatched out is into burst information table.
In above-mentioned steps, the burst processing is according to the peak load (Maximum that can be carried in the path of networking Transmission Unit are MTU, refer to the maximum data packet size that can pass through above a kind of a certain layer of communication protocol) Burst is carried out, a big flow message is divided into multiple data flows and handled, and records the burst information of each fragment message, Such as source IP address, purpose IP address and processor are identified in burst information table, can so ensure to belong to same big stream The fragment message of amount is finally handled in same processor, ensures homologous chummage.The fragment message for belonging to a stream together finally exists After the completion of same processor processing, then according to the target MAC (Media Access Control) address of message, destination interface is sent to.
Fig. 3 is the flow chart of second of embodiment of message parsing method of the present invention, and the message parsing method includes:
Step 301, message is received, and obtains the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement Version number is set up into key message Key.
In the present invention, source MAC refers to the source device physical address of message in above-mentioned steps;Target MAC (Media Access Control) address is Refer to the purpose equipment physical address that message is sent to;Source IP address refers to the IP address of the source device of message;Purpose IP address Refer to the IP address for being sent to purpose equipment;Protocol version, refer to the protocol type of the 4th layer protocol of message.
Step 302, preset behavioural analysis table, the behavioural analysis table are inquired about according to the key message Key of the establishment It is a kind of key message Key that have recorded message and its corresponding type of message mark flag and the Hash of Message processing action Table.
The behavioural analysis table is one by source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and association The Key of the key messages such as version number composition and its corresponding Message processing mechanism are discussed, i.e. type of message is marked at flag and message The Hash tables of reason action composition, the Message processing action include, such as:Immediately treat, abandon, stop.
Step 303, judge whether received message is special type message according to the Query Result, the special type report Text refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table.
When the key information Key set up can be queried in the behavioural analysis table, that is, the key message Key set up exists In the presence of in Hash tables, that is, it is special type message to show received message, can be matched in the Hash tables and receive report The type of message mark of text and specific processing action.
Step 304, when the message received is special type message, then determine whether that the special type message is real-time type Message or big flow message, the big flow message are the non real-time type message of big data flow.
In the present invention, the real-time type message is such as can be live, video flowing, i.e., the message that is matched in Hash tables Type flag is 0, and the big flow type message can be for big text, picture etc., i.e., the message class matched in Hash tables Type flag is 1.
In above-mentioned steps, the message that the reception is gone out according to behavioural analysis voting plan belongs to special type message, is then directed to Further analysis belongs to real-time type message or big flow type message to the special type message, wherein, above-mentioned further analysis The type of message marker bit flag being to rely in the result field in behavioural analysis table, if the type of message marker bit Flag value is 0, then is real-time type message, if the value of the type of message marker bit flag is 1, for big flow message.
Step 305, it is when the special type message is real-time type message, then real according to dispatching algorithm, priority scheduling processor When handle this message, and message is sent to destination interface after the completion of processor processing.
Dispatching algorithm, it is the hardware multinuclear concurrent scheduling mechanism designed according to processor architectural framework, i.e., in above-mentioned steps Distributed by the hardware scheduling engine of multinuclear multiprocessing, when there is the higher message of priority ratio, polycaryon processor scheduling engine can Processor where interrupting one of task is switched in current task, handles the i.e. preferential tune of the high message of this priority level Processing Algorithm is spent, this message is handled in real time so as to realize.
Step 306, when the special type message is big flow message, then burst processing is carried out to the big flow message, And by burst information and the processor label record dispatched out into burst information table, according to the corresponding label of burst information list scheduling Processor burst information is handled, sent after the completion of processing to destination interface.
If the such as big text of big flow message, picture etc., then carry out burst processing, and record burst information and The processor unit label dispatched out is into burst information table.
In above-mentioned steps, the burst processing is according to the peak load (Maximum that can be carried in the path of networking Transmission Unit are MTU, refer to the maximum data packet size that can pass through above a kind of a certain layer of communication protocol) Burst is carried out, a big flow message is divided into multiple data flows and handled, and records the burst information of each fragment message, Such as source IP address, purpose IP address and processor are identified in burst information table, can so ensure to belong to same big stream The fragment message of amount is finally handled in same processor, ensures homologous chummage.The fragment message for belonging to a stream together finally exists After the completion of same processor processing, then according to the target MAC (Media Access Control) address of message, destination interface is sent to.
Step 307, it is the pass of the establishment when the step 303 judges received message as no special type message During the plain edition message that key information Key can not be queried in the behavioural analysis table, then carry out common message and perform flow, The common message is performed flow and refers to be adjusted automatically using the hardware multinuclear concurrent scheduling mechanism of processor architectural framework design Spend processor processing message.
The common message performs flow and further comprises step:
Step 307a, determine whether the no special type message is real-time type message or big flow message;
Due to the list item to match with message key message Key being not present in behavioural analysis table in the step, i.e., can not Marked by type of message in User behavior analytical table to know that message is real-time type message or big flow message, now, Can by other means, as deep-packet detection DPI technologies carry out the type of analytic message.
Step 307b, if the no special type message is real-time type message, with obtaining its source MAC, purpose MAC Location, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, mesh IP address and protocol version set up into key message Key, and by type of message mark flag be labeled as 0, then by institute The key message Key and its corresponding type of message mark flag for stating establishment are added to the behavioural analysis table as newly-increased list item In;
Step 307c, if the no special type message is big flow message, with obtaining its source MAC, purpose MAC Location, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, mesh IP address and protocol version set up into key message Key, and by type of message mark flag be labeled as 1, then by institute The key message Key and its corresponding type of message mark flag for stating establishment are added to the behavioural analysis table as newly-increased list item In.
In above-mentioned steps 307b and 307c, the message that first time receives is created simultaneously according to parsing situation in behavioural analysis table List item is added, special type Message processing flow can be directly carried out when receiving the message of same type so as to next time, without entering Row deep-packet detection, improve packet parsing efficiency.
Fig. 4 is the structured flowchart of the first embodiment of packet parsing device of the present invention, as shown in figure 4, the message Resolver, including:
Receiving module 400, for receiving message, and with obtaining the source MAC, target MAC (Media Access Control) address, source IP of the message Location, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address with And protocol version is set up into key message Key.
In the present invention, above-mentioned source MAC refers to the source device physical address of message;Target MAC (Media Access Control) address refers to message The purpose equipment physical address being sent to;Source IP address refers to the IP address of the source device of message;Purpose IP address refers to send out Toward the IP address of purpose equipment;Protocol version, refer to the protocol type of the 4th layer protocol of message.
Enquiry module 410, for inquiring about preset behavioural analysis table, the row according to the key message Key of the establishment It is that a kind of key message Key that have recorded message and its corresponding type of message mark flag and Message processing action for analytical table Hash tables.
The behavioural analysis table is one by source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and association The Key of the key messages such as version number composition and its corresponding Message processing mechanism are discussed, i.e. type of message is marked at flag and message The Hash tables of reason action composition, the Message processing action include, such as:Immediately treat, abandon, stop.
First judge module 420, for judging whether received message is special type message according to the Query Result, The special type message refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table.
When the key information Key set up can be queried in the behavioural analysis table, that is, the key message Key set up exists In the presence of in Hash tables, that is, it is special type message to show received message, can be matched in the Hash tables and receive report The type of message mark of text and specific processing action.
Second judge module 430, it is special type message for working as received message, then determines whether the special type Message is real-time type message or big flow message, and the big flow message is the non real-time type message of big data flow.
In the present invention, the real-time type message is such as can be live, video flowing, i.e., the message that is matched in Hash tables Type flag is 0, and the big flow type message can be for big text, picture etc., i.e., the message class matched in Hash tables Type flag is 1.
In above-mentioned, the message that the reception is gone out according to behavioural analysis voting plan belongs to special type message, then for described Special type message further analysis belongs to real-time type message or big flow type message, wherein, it is above-mentioned further analysis be according to Rely the type of message marker bit flag in the result field in behavioural analysis table, if the type of message marker bit flag It is worth for 0, is then real-time type message, if the value of the type of message marker bit flag is 1, for big flow message.
First processing module 440, for being real-time type message when the special type message, then according to dispatching algorithm, preferentially Dispatch processor handles this message in real time, and sends message to destination interface after the completion of processor processing.
Dispatching algorithm, it is the hardware multinuclear concurrent scheduling mechanism designed according to processor architectural framework, i.e., by more in above-mentioned The hardware scheduling engine distribution of core multiprocessing, when there is the higher message of priority ratio, polycaryon processor scheduling engine can interrupt Processor where one of task is switched in current task, handles the high message of this priority level i.e. at priority scheduling Adjustment method, this message is handled in real time so as to realize.
Second processing module 450, for being big flow message when the special type message, then the big flow message is entered The processing of row burst, and by burst information and the processor label record dispatched out into burst information table, according to burst information table The processor for dispatching corresponding label is handled burst information, is sent after the completion of processing to destination interface.
If the such as big text of big flow message, picture etc., then carry out burst processing, and record burst information and The processor unit label dispatched out is into burst information table.
In above-mentioned, the burst processing is according to the peak load (Maximum that can be carried in the path of networking Transmission Unit are MTU, refer to the maximum data packet size that can pass through above a kind of a certain layer of communication protocol) Burst is carried out, a big flow message is divided into multiple data flows and handled, and records the burst information of each fragment message, Such as source IP address, purpose IP address and processor are identified in burst information table, can so ensure to belong to same big stream The fragment message of amount is finally handled in same processor, ensures homologous chummage.The fragment message for belonging to a stream together finally exists After the completion of same processor processing, then according to the target MAC (Media Access Control) address of message, destination interface is sent to.
Fig. 5 is the structured flowchart of second of embodiment of packet parsing device of the present invention, as shown in figure 5, this second real The difference of the structured flowchart and the structured flowchart of the first embodiment Fig. 4 Suo Shi of applying mode is also to include:
3rd processing module 560, flow is performed for carrying out plain edition message, and by message after the completion of processor processing Send to destination interface, the common message is performed flow and refers to concurrently be adjusted using the hardware multinuclear of processor architectural framework design Degree mechanism carrys out automatic dispatch processor processing message.
3rd processing module 560 further comprises:
3rd judge module 561, for judging whether the message of the reception is real-time type message or big flow message;
Herein due to the list item to match with message key message Key being not present in behavioural analysis table, i.e., can not pass through Type of message in User behavior analytical table is marked to know that message is real-time type message or big flow message, now, can be led to Other modes are crossed, as deep-packet detection DPI technologies carry out the type of analytic message.
First list item creation module 562, for when the message received is real-time type message, then with obtaining its source MAC Location, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, Source IP address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as 0, then created in the behavioural analysis table corresponding with the key message Key and type of message of the establishment mark flag List item;
Second list item creation module 563, be big flow message for working as received message, then obtain its source MAC, Target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 1, Then the table corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table .
Above-mentioned first list item creation module 562 and the second list item creation module 563, it is ensured that the packet parsing of present embodiment Device can create in behavior analytical table according to packet parsing situation and add list item, so that next time receives the message of same type When can directly carry out special type Message processing flow, realize the dynamic adding procedure of behavioural analysis table, improve packet parsing Efficiency.
It should be noted that being set in above-mentioned embodiment when type of message mark flag is 0, real-time type is expressed as Message, when flag is 1, it is expressed as big flow message.But above-mentioned setting means is not intended to limit the invention, it can root Different settings is carried out according to actual conditions, such as real-time type message is represented when flag is 1, big flow report is represented when flag is 0 Text etc., its specific setting means can have varied, cover the technology of each type of message mark mode the present invention's Within protection domain.
Message parsing method of the present invention carries out classification processing according to the analysis of message historical behavior to message, can be quick And accurately handle message, and ensure the homologous chummage of big flow message, the real-time type message of quick response high priority it is excellent First handle, improve the process performance of Network analyzing equipment.In addition, the Network analyzing equipment of the present invention connects again in identical message Time receiving can avoid repeating a series of profound packet parsings, the burden of analytical equipment can so be aggravated, so as to save net The cpu resource of network analytical equipment.In addition, heretofore described behavioural characteristic identification table can be preset behavior, in equipment plus Load comes into force after starting successfully, can also support dynamic adding procedure, i.e., when message receives for the first time, is handled and carried by deep packet Take the information such as message key message Key and type of message and be added to behavioural analysis table, in order to which next time receives same type report Wen Shike is directly handled by different type of messages.
Embodiment described above only expresses the preferred embodiment of the present invention, and its description is more specific and detailed, but Therefore the limitation to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that the ordinary skill people for this area For member, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the present invention's Protection domain.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.

Claims (8)

1. a kind of message parsing method, it is characterised in that including step:
Message is received, and obtains source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and the association of the message Discuss version number, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version set up into Key message Key;
Preset behavioural analysis table is inquired about according to the key message Key of the establishment, the behavioural analysis table is that one kind have recorded The key message Key of message and its corresponding type of message mark flag and the Hash tables of Message processing action;
Judge whether received message is special type message, and the special type message refers to described group according to the Query Result The message that the key message Key built can be queried in the behavioural analysis table;
When the message received is special type message, then it is real-time type message or big stream to determine whether the special type message Amount type message, the big flow message are the non real-time type message of big data flow;
When the special type message is real-time type message, then this message is handled according to dispatching algorithm, priority scheduling processor in real time, And message is sent to destination interface after the completion of processor processing;
When the special type message is big flow message, then burst processing is carried out to the big flow message, and by burst information With the processor label record dispatched out into burst information table, according to the processor of the corresponding label of burst information list scheduling to point Piece information is handled, and is sent after the completion of processing to destination interface.
2. a kind of message parsing method as claimed in claim 1, it is characterised in that described to judge that the special type message is real When type message or the specific method of big flow message be:Judge the key message Key institutes inquired in behavior analytical table Corresponding type of message mark flag is 0 or 1, if 0, then it represents that the special type message is real-time type message, if 1, It is big flow message then to represent the special type message.
3. a kind of message parsing method as claimed in claim 1, it is characterised in that when the message of the reception is no special type Message, it is the plain edition message that the key message Key of the establishment can not be queried in the behavioural analysis table, then enters The common message of row performs flow, and sends message to destination interface after the completion of processor processing, and the common message performs Flow refers to handle message using the hardware multinuclear concurrent scheduling mechanism of processor architectural framework design come automatic dispatch processor.
4. a kind of message parsing method as claimed in claim 3, it is characterised in that the common message, which performs flow, to be included: Whether the message for judging the reception is real-time type message or big flow message;
If real-time type message, then its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement are obtained Version number, above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up into pass Key information Key, and type of message mark flag is labeled as 0, then by the key message Key of the establishment and its corresponding report Literary type mark flag is added in the behavioural analysis table as newly-increased list item;
If big flow message, then its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement are obtained Version number, above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up into pass Key information Key, and type of message mark flag is labeled as 1, then by the key message Key of the establishment and its corresponding report Literary type mark flag is added in the behavioural analysis table as newly-increased list item.
A kind of 5. packet parsing device, it is characterised in that including:
Receiving module, for receiving message, and obtain the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement Version number is set up into key message Key;
Enquiry module, for inquiring about preset behavioural analysis table, the behavioural analysis table according to the key message Key of the establishment It is a kind of key message Key that have recorded message and its corresponding type of message mark flag and the Hash of Message processing action Table;
First judge module, for judging whether received message is special type message according to the Query Result, the spy Different type message refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table;
Second judge module, it is special type message for working as received message, then determines whether that the special type message is Real-time type message or big flow message, the big flow message are the non real-time type message of big data flow;
First processing module, for being real-time type message when the special type message, then according to dispatching algorithm, priority scheduling processing Device handles this message in real time, and sends message to destination interface after the completion of processor processing;
Second processing module, for being big flow message when the special type message, then burst is carried out to the big flow message Processing, and by burst information and the processor label record dispatched out into burst information table, according to burst information list scheduling phase Answer the processor of label to handle burst information, sent after the completion of processing to destination interface.
6. a kind of packet parsing device as claimed in claim 5, it is characterised in that second judge module, further use It is special type message in working as received message, judges corresponding to the key message Key that is inquired in behavior analytical table Type of message mark flag is 0 or 1.
7. a kind of packet parsing device as claimed in claim 5, it is characterised in that when the message of the reception is no special type Message, be the plain edition message that the key message Key of the establishment can not be queried in the behavioural analysis table, then institute Stating resolver also includes:
3rd processing module, for carry out plain edition message perform flow, and processor processing after the completion of by message send to Destination interface, the common message perform the hardware multinuclear concurrent scheduling mechanism that flow refers to design using processor architectural framework Carry out automatic dispatch processor processing message.
8. a kind of packet parsing device as claimed in claim 7, it is characterised in that the 3rd processing module is further wrapped Include:
3rd judge module, for judging whether the message of the reception is real-time type message or big flow message;
First list item creation module, for when the message received is real-time type message, then obtaining its source MAC, purpose MAC Address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP Location, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 0, then The list item corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table;
Second list item creation module, it is big flow message for working as received message, then obtains its source MAC, purpose MAC Address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, Purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 1, Ran Hou The list item corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table.
CN201710833249.4A 2017-09-15 2017-09-15 Message parsing method and device Active CN107508827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710833249.4A CN107508827B (en) 2017-09-15 2017-09-15 Message parsing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710833249.4A CN107508827B (en) 2017-09-15 2017-09-15 Message parsing method and device

Publications (2)

Publication Number Publication Date
CN107508827A true CN107508827A (en) 2017-12-22
CN107508827B CN107508827B (en) 2021-01-26

Family

ID=60696693

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710833249.4A Active CN107508827B (en) 2017-09-15 2017-09-15 Message parsing method and device

Country Status (1)

Country Link
CN (1) CN107508827B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888710A (en) * 2017-12-26 2018-04-06 新华三信息安全技术有限公司 A kind of message forwarding method and device
CN109672669A (en) * 2018-12-03 2019-04-23 国家计算机网络与信息安全管理中心 The filter method and device of traffic messages
CN113162913A (en) * 2021-03-15 2021-07-23 煤炭科学技术研究院有限公司 Message analysis method and device of mine monitoring system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624611A (en) * 2011-12-31 2012-08-01 成都市华为赛门铁克科技有限公司 Method, device, processor and network equipment for message dispersion
CN103514043A (en) * 2012-06-29 2014-01-15 华为技术有限公司 Multi-processor system and data processing method thereof
CN103988543A (en) * 2013-12-11 2014-08-13 华为技术有限公司 Control device in wireless local area network, network system, and service processing method
CN105939274A (en) * 2016-05-17 2016-09-14 杭州迪普科技有限公司 Message forwarding method and apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624611A (en) * 2011-12-31 2012-08-01 成都市华为赛门铁克科技有限公司 Method, device, processor and network equipment for message dispersion
CN103514043A (en) * 2012-06-29 2014-01-15 华为技术有限公司 Multi-processor system and data processing method thereof
CN103988543A (en) * 2013-12-11 2014-08-13 华为技术有限公司 Control device in wireless local area network, network system, and service processing method
CN105939274A (en) * 2016-05-17 2016-09-14 杭州迪普科技有限公司 Message forwarding method and apparatus

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888710A (en) * 2017-12-26 2018-04-06 新华三信息安全技术有限公司 A kind of message forwarding method and device
CN109672669A (en) * 2018-12-03 2019-04-23 国家计算机网络与信息安全管理中心 The filter method and device of traffic messages
CN109672669B (en) * 2018-12-03 2021-07-30 国家计算机网络与信息安全管理中心 Method and device for filtering flow message
CN113162913A (en) * 2021-03-15 2021-07-23 煤炭科学技术研究院有限公司 Message analysis method and device of mine monitoring system

Also Published As

Publication number Publication date
CN107508827B (en) 2021-01-26

Similar Documents

Publication Publication Date Title
CN108712426B (en) Crawler identification method and system based on user behavior buried points
CN107508827A (en) A kind of message parsing method and device
CN103618733B (en) A kind of data filtering system and method for being applied to mobile Internet
CN107769992B (en) Message parsing and shunting method and device
CN105516390B (en) Domain name management method and device
RU2010146258A (en) METHOD, DEVICE AND SYSTEM FOR DISTRIBUTING MESSAGES
CN107623731A (en) A kind of method for scheduling task, client, service cluster and system
CN102137070A (en) Method, system and device for restricting user from logging in chat room
CN104348638A (en) Method for identifying service type of session flow and system and equipment thereof
CN108462615A (en) A kind of network user's group technology and device
CN111404768A (en) DPI recognition realization method and equipment
CN104915252B (en) A kind of process port management means and method
CN105046802A (en) Multi-counter based bank queuing and number calling method and system
CN110034970A (en) The network equipment distinguishes method of discrimination and device
CN104980409A (en) Internet behavior management method and device
CN105072050A (en) Data transmission method and data transmission device
CN103442096A (en) NAT method and system based on mobile Internet
CN103812774B (en) Tactics configuring method, message processing method and related device based on TCAM
CN104182546B (en) The data query method and device of database
CN111177281B (en) Access control method, device, equipment and storage medium
CN102629345A (en) Chain type communication cooperation method, apparatus and system thereof
CN107948022A (en) A kind of recognition methods of peer-to-peer network flow and identification device
CN106453677A (en) Address allocation method and apparatus
CN113596105B (en) Content acquisition method, edge node and computer readable storage medium
CN109547475A (en) Business experience analysis system based on the acquisition of native network data traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant